> bpf: Tighten cgroup storage cookie checks for prog arrays
>
> The recent KCTF-reported cgroup local storage issue assigned
> CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
> in cgroup local storage").
>
> However, the previous fixes are still incomplete. The current prog-array
> compatibility check treats a program with no cgroup storage as
> compatible with any stored storage cookie. This allows a storage-less
> program to bridge a tail-call chain between an entry program and a
> storage-using callee even though runtime cgroup local storage still
> follows the caller context.
>
> Require exact per-type storage_cookie equality when checking prog-array
> compatibility. This blocks zero-storage bridge programs from joining a
> prog-array owned by a storage-using program and closes the residual
> A -> B(no storage) -> C(storage) path.
>
> This also aligns with Amery Hung's earlier NULL-storage tail-call fix by
> requiring storage use to match consistently across prog-array users.
>
> Cc: [email protected]
> Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on
> the same cgroup")
> Tested-by: Amery Hung <[email protected]>
> Signed-off-by: Lin Ma <[email protected]>
> Signed-off-by: Rongzhen Cui <[email protected]>
> Signed-off-by: Jingguo Tan <[email protected]>
Should the Fixes: tag point to abad3d0bad72 instead of 7d9c3427894f?
The code this patch removes is the '|| !cookie' clause in
__bpf_prog_map_compatible():
ret = map->owner->storage_cookie[i] == cookie ||
!cookie;
That permissive '|| !cookie' clause, which treats a storage-less program
as compatible with any stored cookie, was introduced by abad3d0bad72
("bpf: Fix oob access in cgroup local storage").
The commit referenced by the current tag, 7d9c3427894f ("bpf: Make
cgroup storages shared between programs on the same cgroup"), only added
the shared cgroup-storage feature and does not touch
__bpf_prog_map_compatible() or add the storage_cookie[] check.
Would this be more accurate?
Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
This same question was raised on the v1 thread by the bpf-ci review bot
(https://lore.kernel.org/bpf/[email protected]/),
noting that the patch removes the '|| !cookie' logic introduced in
abad3d0bad72 rather than the original shared storage feature. The reply
disagreed and kept the tag pointing at 7d9c3427894f in v2, but the
reviewer did not acknowledge that explanation, so it may be worth
settling before this is applied.
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26806034423
